Internet use involves accessing one or more remote Internet servers for purposes of downloading information or digital files as well as uploading files and messages. Access is accomplished by connecting a terminal or terminal means to a carrier network. Terminal means include traditional terminals, personal computers (PC) and game console devices equipped with network connectivity. Additional devices are used between the terminal means and the carrier network. Such devices include local networking electronic devices as well as electronic devices that connect a local network or terminal means to an external network. Examples of local networking devices include network hubs, network switches, network bridges, network interface cards, and the like. Examples of devices to connect a local network to an external network include routers, cable modems, DSL modems, dial-up modems, and the like.
As used herein, Customer Premises Equipment (CPE) includes terminal means (such as terminals, personal computer or game consoles), local networking devices and electronic devices to connect a local network to an external network such as a carrier network.
As used herein, a “Carrier Network” generally refers to a computer network through which users communicate with various service providers (e.g. Internet web servers). The Carrier Network may be an external network extending from the local network to other external networks, for example, the Internet or “world wide web”. The Carrier Network is maintained by a “Carrier,” which also may serve as a service provider for certain services. For example, a Carrier or a related entity may serve as an Internet service provider (ISP).
Carrier Networks include “Shared Access Carrier Networks,” in which data of multiple users are conveyed together over a shared communications medium between the users and the Intermediate Network, and “Dedicated Connection Carrier Networks,” in which data of each user is conveyed alone between the user and the Intermediate Network and are not combined with data of other users. One of the most prevalent Shared Access Carrier Networks today is found in the Data-Over-Cable (DOC) Network, which includes the traditional network constructed from coaxial cable and the hybrid fiber coaxial (HFC) network constructed with both fiber optical cabling and coaxial cable. Other Shared Access Carrier Networks include wireless and digital subscriber line (xDSL) networks (the xDSL lines typically being aggregated onto an oversubscribed backhaul trunk into the Intermediate Network, with the trunk defining the shared communications medium).
Network carriers and their equipment providers have adopted industry standards in order to increase interchangeability and reduce manufacturing costs for network hardware. For example, DOC Carriers have adopted industry standards such as the Data Over Cable Service Interface Specification (DOCSIS). DOCSIS version 1.0 was issued in 1997 with hardware devices being certified starting in 1999. DOCSIS version 1.1 replaced version 1.0 in 1999-2001 and now accounts for the bulk of installed DOC network equipment. Although released, DOCSIS version 2.0 is not yet widely available. As a result, networks conforming to DOCSIS (i.e. DOCSIS-compliant) use DOCSIS version 1.1 hardware in most cases.
FIG. 1 illustrates an example of such a typical DOCSIS-compliant network.
Data packets are transmitted in a downstream direction from a cable modem termination system (CMTS) 21, which is located in headend 31 (or distribution hub) of a Carrier, over a coaxial cable or combination coaxial cable and fiber optic cable 22 to respective cable modems (CMs) 14 of user local networks. CMs may attach a single terminal means to the DOCSIS-compliant network or may further comprise electronics that function as a network hub (e.g. Ethernet hub) or router function. Many times, the CMs are procured with “firewall” software that is used to block undesirable accesses to the attached local network.
All of the CMs 14 are attached by the coaxial cable 22 to the CMTS 21 in an inverted tree configuration, and each CM 14 connected to the coaxial cable 22 listens to all broadcasts from the CMTS 21 transmitted through the coaxial cable 22 for data packets addressed to it, and ignores all other data packets addressed to other CMs 14.
Theoretically, a CM 14 is capable of receiving data in the downstream direction over a 6 MHz channel with a maximum connection speed of 30-40 Mbps. Data packets also are transmitted in the upstream direction over a 2 MHz channel by the CMs 14 to the CMTS 21 typically using time division multiplexing (TDM) and at a maximum connection speed of 1.5-10 Mbps (up to 30 Mbps when DOCSIS version 2.0 is available)
The headend 31 in the DOCSIS Network includes a plurality of CMTSs, with each CMTS supporting multiple groups of CMs each connected together by a respective coaxial cable. Each such group of CMs connected to a CMTS defines a Shared Access Carrier Network, with the coaxial cable in each representing the shared communications medium. This arrangement of a group of CMs connected to a CMTS by a coaxial cable is referred to herein as a “Cable Network.” Accordingly, the DOCSIS network includes a plurality of Cable Networks 20 originating from CMTSs at the headend 31 of the Carrier, with a particular Cable Network 21 being illustrated in an expanded view in FIG. 1. The DOCSIS network may also include multiple headends, for example, 31, 32 and 33.
Data transmission over a DOCSIS network can be thought of as a downstream data path and an upstream data path. Downstream paths normally refer to transmission from a web server to a terminal means, for example a terminal 11 or personal computer 12. Upstream data transmission is the opposite with data originating in terminal 11 or personal computer 12.
For purposes of this invention, customer premises equipment 20 includes the cable modems 14, terminals 11, personal computers 12 and related interconnections, power sources, etc.
FIG. 2 illustrates a special case of a DOCSIS compatible network (also referred to as a “coaxial based broadband access network”). Cable modem and local area network hub have been combined into a single cable modem hub 19. Such configurations have become particularly popular recently and include both wired and wireless (short distance FM) connections to terminal means. Characteristics of a DOCSIS compatible network include two-way transmission, a maximum 100-mile distance between the farthest cable modem and the cable modem termination system, and the coexistence with other services on the cable network.
Each cable modem is manufactured with a media access control (MAC) address. This 48-bit address is utilized as a “serial” number for purposes of identifying a unique cable modem.
Before a cable modem is permitted to provide connectivity between other CPE devices and the CMTS, it must be initialized. FIG. 3 illustrates typical steps that occur in CM initialization. Of particular interest to this invention are step 308 Establish IP Connectivity and step 312 Transfer Operational Parameters. Step 308 uses a dynamic host configuration protocol (DHCP) server to initialize the cable modem with an Internet protocol address. Also provided is the address of a TFTP server and name of the file stored on the TFTP server containing appropriate operational parameters.
Step 312 transfers a configuration file from a TFTP server to the cable modem. Trivial file transfer protocol (TFTP) servers are required to respond to requests for files with very little security checking. This inherent security weakness is often targeted by “hackers” or other individuals intent upon obtaining unauthorized use of broadband data services.
For example, some customers will attempt to abuse a broadband cable modem service by retrieving a cable modem configuration file from a TFTP server, placing that file on their personal computer and “dissecting” the file to determine how the configuration file instructs the cable modem to perform. The customer will then attempt to share the contents of this file with other “hackers” and/or will attempt to modify the file and trick their cable modem into using their modified file to steal service or upgraded class of service. As a result, broadband data service providers would like to prevent rogue customers from obtaining the configuration files.
There are many methods for securing the TFTP server to try to limit access so that only legitimate cable modems may request files from the TFTP server. These methods typically involve implementing filters on the cable modems or by placing network firewalls in front of the TFTP servers. While these methods are often effective, many times they are not, due to human error and misconfiguration of the filters or firewalls.
Thus what would be useful is a system and method that prevents unauthorized retrieval of cable modem configuration files from an available file server. As is demonstrated below, applicants have developed such a method that is secure yet fully compatible with DOCSIS specifications.